From 0579c8c3d80c5e25e38ebfe1ebc713276a6c7b12 Mon Sep 17 00:00:00 2001
From: wangruidong <940853815@qq.com>
Date: Tue, 10 Mar 2026 15:07:54 +0800
Subject: [PATCH] fix: Add backend REST API that handles Organization CRUD
 operations and RBAC role assignments license validation

---
 apps/common/permissions.py   | 9 +++++++++
 apps/orgs/api.py             | 4 +++-
 apps/rbac/api/rolebinding.py | 3 +++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index 72948d4b1..e46e7099b 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -92,6 +92,15 @@ class IsValidLicense(permissions.BasePermission):
         return settings.XPACK_LICENSE_IS_VALID
 
 
+class IsValidLicenseForWriteAction(permissions.BasePermission):
+    """Allow read for all, require valid license for write operations"""
+
+    def has_permission(self, request, view):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        return settings.XPACK_LICENSE_IS_VALID
+
+
 class IsOwnerOrAdminWritable(IsValidUser):
     def has_object_permission(self, request, view, obj):
         if request.user.is_superuser:
diff --git a/apps/orgs/api.py b/apps/orgs/api.py
index 1bcb4a6ac..1ed516f0a 100644
--- a/apps/orgs/api.py
+++ b/apps/orgs/api.py
@@ -10,10 +10,11 @@ from assets.models import (
     Asset, Zone, Label, Node,
 )
 from common.api import JMSBulkModelViewSet
-from common.permissions import IsValidUser
+from common.permissions import IsValidUser, IsValidLicenseForWriteAction
 from common.utils import get_logger
 from orgs.utils import current_org, tmp_to_root_org
 from perms.models import AssetPermission
+from rbac.permissions import RBACPermission
 from users.models import User, UserGroup
 from .models import Organization
 from .serializers import (
@@ -33,6 +34,7 @@ class OrgViewSet(JMSBulkModelViewSet):
     search_fields = ('name', 'comment')
     queryset = Organization.objects.all()
     serializer_class = OrgSerializer
+    permission_classes = [RBACPermission, IsValidLicenseForWriteAction]
 
     def get_serializer_class(self):
         mapper = {
diff --git a/apps/rbac/api/rolebinding.py b/apps/rbac/api/rolebinding.py
index bd33a7168..55f8b6fc3 100644
--- a/apps/rbac/api/rolebinding.py
+++ b/apps/rbac/api/rolebinding.py
@@ -3,10 +3,12 @@ from django.db.models.functions import Concat
 from django.utils.translation import gettext as _
 
 from common.exceptions import JMSException
+from common.permissions import IsValidLicenseForWriteAction
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import current_org
 from .. import serializers
 from ..models import RoleBinding, SystemRoleBinding, OrgRoleBinding
+from ..permissions import RBACPermission
 
 __all__ = [
     'RoleBindingViewSet', 'SystemRoleBindingViewSet',
@@ -49,6 +51,7 @@ class SystemRoleBindingViewSet(RoleBindingViewSet):
 
 class OrgRoleBindingViewSet(RoleBindingViewSet):
     serializer_class = serializers.OrgRoleBindingSerializer
+    permission_classes = [RBACPermission, IsValidLicenseForWriteAction]
 
     def _get_queryset(self):
         return OrgRoleBinding.objects.root_all()